Posted on 11-06-2024 09:31 PM
We have deployed Kerberos SSO extension to all mac devices so that we can access SMB shares from file server.
When we enroll new mac device, for the first time JAMF asks Kerberos credentials and user needs to manually enter the username and password. Once user provided credentials, it receives Kerberos token and token renews automatically.
Issue which I am reporting here is why user needs to enter Kerberos credentials for newly enrolled mac, why it can’t be automated.
JAMF connect menu bar plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" http://www.apple.com/DTDs/PropertyList-1.0.dtd>
<plist version="1.0">
<dict>
<key>Appearance</key>
<dict>
<key>ShowWelcomeWindow</key>
<true/>
</dict>
<key>HiddenMenuItems</key>
<array>
<string>about</string>
<string>changepassword</string>
<string>gethelp</string>
<string>getsoftware</string>
<string>preferences</string>
<string>resetpassword</string>
</array>
<key>IdPSettings</key>
<dict>
<key>Provider</key>
<string>Azure</string>
<key>ROPGID</key>
<string>XXXXXXXXXXXXXXXXXXXXXXXXXXXX</string>
</dict>
<key>Kerberos</key>
<dict>
<key>AutoRenewTickets</key>
<true/>
<key>Realm</key>
<string>XXXXXXXXX</string>
</dict>
<key>SignIn</key>
<dict>
<key>AutoAuthenticate</key>
<true/>
<key>AutoOpenAppAtLogin</key>
<true/>
<key>RequireSignIn</key>
<true/>
</dict>
</dict>
</plist>
Kerberos SSO config:
Kerberos
Payload Type --> kerberos
Realm --> XXXXXXXXXXX
Hosts --> XXXXXXXXXXXX
Mark as default realm when more than one Kerberos extension configuration exist-->Ignored
Automatically use LDAP and DNS to determine the Kerberos extension's AD site name. -->Enforced
Automatic login -->Allowed
User presence to access the keychain entry -->Skipped
Password expiration notification -->15
Posted on 11-07-2024 05:06 AM
@Kalpeshw It's working as designed since the user controls their password, and setting one via Configuration Profile would prevent them from ever changing it.